Privacy Act: [DEFENSE DEPARTMENT]...

	Web GovRecords.org

  (i) Expressly authorized by federal statute;
  (ii) Expressly authorized by the individual; or
  (iii) Maintenance of the information is pertinent to and within the 
scope of an authorized law enforcement activity.
  (2) First Amendment rights include, but are not limited to, freedom of 
religion, freedom of political beliefs, freedom of speech, freedom of 
the press, the right to assemble, and the right to petition.
  (f) System manager's evaluation. (1) Evaluate the information to be 
included in each new system before establishing the system and evaluate 
periodically the information contained in each existing system of 
records for relevancy and necessity. Such a review shall also occur when 
a system notice amendment or alteration is prepared (see 
Sec. Sec. 310.63 and 310.64 of subpart G of this part).
  (2) Consider the following:
  (i) The relationship of each item of information retained and 
collected to the purpose for which the system is maintained;
  (ii) The specific impact on the purpose or mission of not collecting 
each category of information contained in the system;
  (iii) The possibility of meeting the information requirements through 
use of information not individually identifiable or through other 
techniques, such as sampling;
  (iv) The length of time each item of personal information must be 
retained;
  (v) The cost of maintaining the information; and
  (vi) The necessity and relevancy of the information to the purpose for 
which it was collected.
  (g) Discontinued information requirements. (1) Stop collecting 
immediately any category or item of personal information from which 
retention is no longer justified. Also excise this information from 
existing records, when feasible.
  (2) Do not destroy any records that must be retained in accordance 
with disposal authorizations established under 44 U.S.C., Section 303a, 
``Examination by the Administrator of General Services of Lists and 
Schedules of Records Lacking Preservation Value, Disposal of Records.''

  [51 FR 1364, Jan. 16, 1986. Redesignated at 56 FR 55631, Oct. 29, 1991 
and amended at 56 FR 57800, Nov. 14, 1991]

   Sec. 310.11  Standards of accuracy.

  (a) Accuracy of information maintained. Maintain all personal 
information that is used or may be used to make any determination about 
an individual with such accuracy, relevance, timeliness, and 
completeness as is reasonably necessary to ensure fairness to the 
individual in making any such determination.
  (b) Accuracy determination before dissemination. Before disseminating 
any personal information from a system of records to any person outside 
the Department of Defense, other than a federal agency, make reasonable 
efforts to ensure that the information to be disclosed is accurate, 
relevant, timely, and complete for the purpose it is being maintained 
(see also paragraph (d) of Sec. 310.30, subpart D and paragraph (d) of 
Sec. 310.40, subpart E of this part).

  [51 FR 1364, Jan. 16, 1986. Redesignated at 56 FR 55631, Oct. 29, 1991 
and amended at 56 FR 57800, Nov. 14, 1991]

   Sec. 310.12  Government Contractors.

  (a) Applicability to government contractors. (1) When a DoD Component 
contracts for the operation or maintenance of a system of records or a 
portion of a system of records by a contractor, the record system or the 
portion of the record system affected are considered to be maintained by 
the DoD Component and are subject to this part. The Component is 
responsible for applying the requirements of this part to the 
contractor. The contractor and its employees are to be considered 
employees of the DoD Component for purposes of the sanction provisions 
of the Privacy Act during the performance of the contract. Consistent 
with the Defense Acquisition Regulation (DAR), Sec. 1.327, ``Protection 
of Individual Privacy'' contracts requiring the maintenance of a system 
of records or the portion of a system of records shall identify 
specifically the record system and the work to be performed and shall 
include in the solicitation and resulting contract such terms as are 
prescribed by the DAR.
  (2) If the contractor must use or have access to individually 
identifiable information subject to this part to perform any part of a 
contract, and the information would have been collected and maintained 
by the DoD Component but for the award of the contract, these contractor 
activities are subject to this Regulation.
  (3) The restriction in paragraphs (a) (1) and (2) of Sec. 310.12 of 
this part do not apply to records:
  (i) Established and maintained to assist in making internal contractor 
management decisions, such as records maintained by the contractor for 
use in managing the contract;
  (ii) Maintained as internal contractor employee records even when used 
in conjunction with providing goods and services to the Department of 
Defense; or
  (iii) Maintained as training records by an educational organization 
contracted by a DoD Component to provide training when the records of 
the contract students are similar to and comingled with training records 
of other students (for example, admission forms, transcripts, academic 
counselling and similar records);
  (iv) Maintained by a consumer reporting agency to which records have 
been disclosed under contract in accordance with the Federal Claims 
Collection Act of 1966, Title 31, United States Code, section 952(d).
  (4) DoD Components must publish instruction that:
  (i) Furnish DoD Privacy Program guidance to their personnel who 
solicit, award, or administer government contracts;
  (ii) Inform prospective contractors of their responsibilities 
regarding the DoD Privary Program; and
  (iii) Establish an internal system of contractor performance review to 
ensure compliance with the DoD Privacy Program.
  (b) Contracting procedures. The Defense Systems Acquisition Regulatory 
Council (DSARC) is responsible for developing the specific policies and 
procedures to be followed when soliciting bids, awarding contracts or 
administering contracts that are subject to this part.
  (c) Contractor compliance. Through the various contract surveillance 
programs, ensure contractors comply with the procedures established in 
accordance with paragraph (b) of this section.
  (d) Disclosure of records to contractors. Disclosure of personal 
records to a contractor for the use in the performance of any DoD 
contrtact by a DoD Component is considered a disclosure within the 
Department of Defense (see paragraph (b) of Sec. 310.40, subpart E of 
this part). The contractor is considered the agent of the contracting 
DoD Component and to be maintaining and receiving the records for that 
Component.

  [51 FR 1364, Jan. 16, 1986. Redesignated at 56 FR 55631, Oct. 29, 1991 
and amended at 56 FR 57800, Nov. 14, 1991]

   Sec. 310.13  Safeguarding personal information.

  (a) General responsibilities. Establish appropriate administrative, 
technical and physical safeguards to ensure that the records in every 
system of records are protected from unauthorized alteration or 
disclosure and that their confidentiality is protected. Protect the 
records against reasonably anticipated threats or hazards that could 
result in substantial harm, embarrassment, inconvenience, or unfairness 
to any individual about whom information is kept.
  (b) Minimum standards. (1) Tailor system safeguards to conform to the 
type of records in the system, the sensitivity of the personal 
information stored, the storage medium used and, to a degree, the number 
of records maintained.
  (2) Treat all unclassified records that contain personal information 
that normally would be withheld from the public under Exemption Numbers 
6 and 7, of Sec. 286.31, subpart D of 32 CFR part 286 (DoD Freedom of 
Information Act Program) as if they were designated ``For Official Use 
Only'' and safeguard them in accordance with the standards established 
by subpart E of 32 CFR part 286 (DoD FOIA Program) even if they are not 
actually marked ``For Official Use Only.''
  (3) Afford personal information that does not meet the criteria 
discussed in paragraph (c)(3) of Sec. 310.13 of this subpart that degree 
of security which provides protection commensurate with the nature and 
type of information involved.
  (4) Special administrative, physical, and technical procedures are 
required to protect data that is stored or being processed temporarily 
in an automated data processing (ADP) system or in a word processing 
activity to protect it against threats unique to those environments (see 
Appendices A and B).
  (5) Tailor safeguards specifically to the vulnerabilities of the 
system.
  (c) Records disposal. (1) Dispose of records containing personal data 
so as to prevent inadvertent compromise. Disposal methods such as 
tearing, burning, melting, chemical decomposition, pulping, pulverizing, 
shredding, or mutilation are considered adequate if the personal data is 
rendered unrecognizable or beyond reconstruction.
  (2) The transfer of large quantities of records containing personal 
data (for example, computer cards and printouts) in bulk to a disposal 
activity, such as the Defense Property Disposal Office, is not a release 
of personal information under this part. The sheer volume of such 
transfers make it difficult or impossible to identify readily specific 
individual records.
  (3) When disposing of or destroying large quantities of records 
containing personal information, care must be exercised to ensure that 
the bulk of the records is maintained so as to prevent specific records 
from being readily identified. If bulk is maintained, no special 
procedures are required. If bulk cannot be maintained or if the form of 
the records make individually identifiable information easily available, 
dispose of the record in accordance with paragraph (c)(1) of this 
section.

Subpart C--Collecting Personal Information

   Sec. 310.20  General considerations.

  (a) Collect directly from the individual. Collect to the greatest 
extent practicable personal information directly from the individual to 
whom it pertains if the information may be used in making any 
determination about the rights, privileges, or benefits of the 
individual under any federal program (see also paragraph (c) of this 
section).
  (b) Collecting Social Security Numbers (SSNs). (1) It is unlawful for 
any federal, state, or local governmental agency to deny an individual 
any right, benefit, or privilege provided by law because the individual 
refuses to provide his or her SSN. However, if a federal statute 
requires that the SSN be furnished or if the SSN is required to verify 
the identity of the individual in a system of records that was 
established and in use before January 1, 1975, and the SSN was required 
as an identifier by a statute or regulation adopted before that date, 
this restriction does not apply.
  (2) When an individual is requested to provide his or her SSN, he or 
she must be advised:
  (i) The uses that will be made of the SSN;
  (ii) The statute, regulation, or rule authorizing the solicitation of 
the SSN; and
  (iii) Whether providing the SSN is voluntary or mandatory.
  (3) Include in any systems notice for any system of records that 
contains SSNs a statement indicating the authority for maintaining the 
SSN and the sources of the SSNs in the system. If the SSN is obtained 
directly from the individual indicate whether this is voluntary or 
mandatory.
  (4) Executive Order 9397, ``Numbering System For Federal Accounts 
Relating to Individual Persons,'' November 30, 1943, authorizes 
solicitation and use of SSNs as numerical identifier for individuals in 
most federal records systems. However, it does not provide mandatory 
authority for soliciting SSNs.
  (5) Upon entrance into military service or civilian employment with 
the Department of Defense, individuals are asked to provide their SSNs. 
The SSN becomes the service or employment number for the individual and 
is used to establish personnel, financial, medical, and other official 
records. Provide the notification in paragraph (b)(2) of this section to 
the individual when originally soliciting his or her SSN. After an 
individual has provided his or her SSN for the purpose of establishing a 
record, the notification in paragraph (b)(2) of this section is not 
required if the individual is only requested to furnish or verify the 
SSNs for identification purposes in connection with the normal use of 
his or her records. However, if the SSN is to be written down and 
retained for any purpose by the requesting official, the individual must 
be provided the notification required by paragraph (b)(2) of this 
section.
  (6) Consult the Office of Personnel Management, Federal Personnel 
Manual (5 CFR parts 293, 294, 297 and 735) when soliciting SSNs for use 
in OPM records systems.
  (c) Collecting personal information from third parties. It may not be 
practical to collect personal information directly from the individual 
in all cases. Some examples of this are:
  (1) Verification of information through third party sources for 
security or employment suitability determinations;
  (2) Seeking third party opinions such as supervisory comments as to 
job knowledge, duty performance, or other opinion-type evaluations;
  (3) When obtaining the needed information directly from the individual 
is exceptionally difficult or may result in unreasonable costs; or
  (4) Contacting a third party at the request of the individual to 
furnish certain information such as exact periods of employment, 
termination dates, copies of records, or similar information.
  (d) Privacy Act Statements. (1) When an individual is requested to 
furnish personal information about himself or herself for inclusion in a 
system of records, a Privacy Act Statement is required regardless of the 
medium used to collect the information (forms, personal interviews, 
stylized formats, telephonic interviews, or other methods). The Privacy 
Act Statement consists of the elements set forth in paragraph (d)(2) of 
this section. The statement enables the individual to make an informed 
decision whether to provide the information requested. If the personal 
information solicited is not to be incoporated into a system of records, 
the statement need not be given. However, personal information obtained 
without a Privacy Act Statement shall not be incorporated into any 
system of records. When soliciting SSNs for any purpose, see paragraph 
(b)(2) of this section.
  (2) The Privacy Act Statement shall include:
  (i) The specific federal statute or Executive Order that authorizes 
collection of the requested information (see paragraph (d) of 
Sec. 310.10 of this part).
  (ii) The principal purpose or purposes for which the information is to 
be used;
  (iii) The routine uses that will be made of the information (see 
paragraph (e) of Sec. 310.41, subpart E of this part);
  (iv) Whether providing the information is voluntary or mandatory (see 
paragraph (e) of this section); and
  (v) The effects on the individual if he or she chooses not to provide 
the requested information.
  (3) The Privacy Act Statement shall be concise, current, and easily 
understood.
  (4) The Privacy Act statement may appear as a public notice (sign or 
poster), conspicuously displayed in the area where the information is 
collected, such as at check-cashing facilities or identification 
photograph facilities.
  (5) The individual normally is not required to sign the Privacy Act 
Statement.
  (6) Provide the individual a written copy of the Privacy Act Statement 
upon request. This must be done regardless of the method chosen to 
furnish the initial advisement.
  (e) Mandatory as opposed to voluntary disclosures. Include in the 
Privacy Act Statement specifically whether furnishing the requested 
personal data is mandatory or voluntary. A requirement to furnish 
personal data is mandatory only when a federal statute, Executive Order, 
regulation, or other lawful order specifically imposes a duty on the 
individual to provide the information sought, and the individual is 
subject to a penalty if he or she fails to provide the requested 
information. If providing the information is only a condition of or 
prerequisite to granting a benefit or privilege and the individual has 
the option of requesting the benefit or privilege, providing the 
information is always voluntary. However, the loss or denial of the 
privilege, benefit, or entitlement sought may be listed as a consequence 
of not furnishing the requested information.

  [51 FR 1364, Jan. 16, 1986. Redesignated at 56 FR 55631, Oct. 29, 1991 
and amended at 56 FR 57800, Nov. 14, 1991]

   Sec. 310.21  Forms.

  (a) DoD forms. (1) DoD Directive 5000.21, ``Forms Management Program'' 
provides guidance for preparing Privacy Act Statements for use with 
forms (see also paragraph (b)(1) of this section).
  (2) When forms are used to collect personal information, the Privacy 
Act Statement shall appear as follows (listed in the order of 
preference):
  (i) In the body of the form, preferably just below the title so that 
the reader will be advised of the contents of the statement before he or 
she begins to complete the form;
  (ii) On the reverse side of the form with an appropriate annotation 
under the title giving its location;

Other Popular 1995 Privacy Act Documents Documents:

Other Documents:

1995 Privacy Act Documents Records and Documents